Skip links

Atlassian fixes critical command injection bug in Bitbucket Server



Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company’s solution for Git repository management.

Both security vulnerabilities received a severity rating of 9 out of 10 (calculated by Atlassian) and affect multiple versions of the products.

Misconfiguration in Crowd

Rated critical, the issue in Crowd Server and Data Center is tracked as CVE-2022-43782 and is a misconfiguration that allows an attacker to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

The issue was introduced in version 3.0 of the product and does not affect upgrades from previous versions, like 2.9.1.

Atlassian explains that exploitation is possible under certain conditions. One of them is a changed Remote Address configuration to include an allowed IP address, a deviation from the default setting (none).

“This would allow the attacker to call privileged endpoints in Crowd’s REST API under the user management path,” Atlassian notes in a security advisory.

The issue impacts Crowd versions 3.0.0 to 3.7.2, 4.0.0 to 4.4.3, and 5.0.0 to 5.0.2. Crowd 5.0.3 and 4.4.4 are not affected.

Atlassian will not fix the flaw in version 3.0.0 of the product because it reached end of life and support.

The security advisory provides detailed instructions for administrators to check if an instance has been compromised and the steps to follow in such cases.

Bitbucket flaw details

The flaw affecting Bitbucket Server and Data Center was introduced in version 7.0 of the product and is identified as CVE-2022-43781. It is a command injection vulnerability that lets an attacker with permission to control their username to gain code execution on the target system under certain conditions.

All versions from 7.0 to 7.21 are affected regardless of their configuration as well as versions 8.0 through 8.4 where the “mesh.enabled” function is disabled under “”

CVE-2022-43781 does not affect instances running PostgreSQL and those hosted by Atlassian (accessed via a domain).

The versions that fix the problem are:

7.6.19 or newer
7.17.12 or newer
7.21.6 or newer
8.0.5 or newer
8.1.5 or newer
8.2.4 or newer
8.3.3 or newer
8.4.2 or newer
8.5.0 or newer

Users unable to upgrade to the fixed versions should disable “Public Signup”, which would require the attacker to authenticate using valid credentials, which reduces the risk of exploitation.

The security advisory notes that ADMIN and SYS_ADMIN users can still exploit the flaw under this configuration, so it should be treated as a temporary mitigation measure.

Adblock test (Why?)